[OPENAM-5547] Agent behaviour when appending goto= to LoginURLs is not compatible with XUI login URL - ForgeRock JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Agents-3.3.3, 12.0.0, 13.0.0, 13.5.0
Fix Version/s: 14.0.0
Component/s: XUI
Labels:
- AMAgent
- AME
- Candidate

Target Version/s:

Agents-5.0

Epic Link:
Agents 5.0

Support Ticket IDs:

Description

DESCRIPTION
============

This is apparent when using a login URL that points directly to the XUI login:

e.g

http://openam.example.com:8080/openam/XUI/#login/

The agent will append ?goto= to the end of this which is then parsed as the realm for login causing a failure to load. The agent should append &goto=... for this to work.

Setting the login URL to something with an & causes the agent to normalise with &goto= instead, e.g:

http://openam.example.com:8080/openam/XUI/#login/&

This works, but does not seem to be an intuitive solution. The default loginURL points to /openam/UI/Login which will then redirect correctly to XUI/#login/, however this seems like an inefficient extra step to go through each time.

Before
Create realm MyRealm
Configure agent against realm /MyRealm
Setup SSO On;ly
Before each
Clear browser cache if using a browser.
For (XUI turned off,XUI turned off)
For each url in the login url types
set the login url to be the next login url from the list (ssoadm set-attribute
For each Managed Resource URL
Send an HTTP GET to the url (curl -I "URL" could be used)
Check the HTTP code and Location returned are as expected
If you follow the url in a supported browser then the realm, service and goto parameters will be as expected and no errors will be reported.

EXPECTED OUTCOME
================
A 302 code should be produced
The location should be a valid url that will work for all supported browsers.

After following this url, the correct login page should be displayed for the correct realm and service.

ACTUAL OUTCOME
==============
The goto parameter is incorrectly added to XUI &?. In some cases there will be an error displayed and the realm parameter may be deleted when the browser is used.
http://openam.example.com:28080/openam/XUI/#login/&realm=MyRealm&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:28080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:28080/openam/XUI/#login/&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:28080/openam/XUI/#login/MyRealm&service=LDAPService&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F

WORKAROUND
==========
For XUI logins then put a trailing ampersand or use the old version

http://openam.example.com:8080/openam/UI/Login?realm=MyRealm
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&

Attachments

Issue Links

is related to

OPENAM-8173 OpenAM Login URL in the agent profile should support XUI login URL

Open

relates to

OPENAM-9597 Goto URL with multiple query string parameters incorrectly decoded

Resolved

Agent behaviour when appending goto= to LoginURLs is not compatible with XUI login URL

Details

Description

Attachments

Issue Links

Activity

People

Dates